Restricting changes on windows register keys

Solomon

Distinguished
May 9, 2004
15
0
18,510
Archived from groups: microsoft.public.windowsxp.general,microsoft.public.windowsxp.security_admin (More info?)

Just allow some users to change values on register windows keys.

My insufficients steps:
1. Enable local and domain policy "Prevent access to registry editing tools"
2. Restrict regedit.exe and regedt32.exe use on ""Don't run specified
Windows applications" and "Restrict these
programs from being launched from Help" policies and enable "Prevent access
to the command prompt"
3. Restrict Permissions (right click on register key selected) for some
users.

But some users continues changing values on keys "restricted" (step 3)

How can I restrict completely permissions (security) to do changes on
register windows keys?

We're using WXP SP2 and W2K Server Standard SP4

THANKS
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,microsoft.public.windowsxp.security_admin (More info?)

On Thu, 3 Mar 2005 11:57:49 -0600, "Solomon" <inteca@NOracsa.co.cr>
wrote:

>Just allow some users to change values on register windows keys.
>
>My insufficients steps:
>1. Enable local and domain policy "Prevent access to registry editing tools"
>2. Restrict regedit.exe and regedt32.exe use on ""Don't run specified
>Windows applications" and "Restrict these
>programs from being launched from Help" policies and enable "Prevent access
>to the command prompt"
>3. Restrict Permissions (right click on register key selected) for some
>users.
>
>But some users continues changing values on keys "restricted" (step 3)
>
>How can I restrict completely permissions (security) to do changes on
>register windows keys?
>
>We're using WXP SP2 and W2K Server Standard SP4
>
>THANKS
>
Do your users have ADMIN privileges ?

Dave
 

Solomon

Distinguished
May 9, 2004
15
0
18,510
Archived from groups: microsoft.public.windowsxp.general,microsoft.public.windowsxp.security_admin (More info?)

Of course not.
All are domain users (not local: Administrators & Power Users by example)
and they are member of Domain Users plus other groups (with scope Global and
type security) dependent of theirs departments (not Administrators, Domain
Admins, ... Admins)

THKS!
---
"da_test" <davexnet02NO@SPAMyahoo.com> wrote in message
news:ncme21hbjbeq3pdr1kr5nhvmaqs5u3kbfb@4ax.com...
> On Thu, 3 Mar 2005 11:57:49 -0600, "Solomon" <inteca@NOracsa.co.cr>
> wrote:
>
>>Just allow some users to change values on register windows keys.
>>
>>My insufficients steps:
>>1. Enable local and domain policy "Prevent access to registry editing
>>tools"
>>2. Restrict regedit.exe and regedt32.exe use on ""Don't run specified
>>Windows applications" and "Restrict these
>>programs from being launched from Help" policies and enable "Prevent
>>access
>>to the command prompt"
>>3. Restrict Permissions (right click on register key selected) for some
>>users.
>>
>>But some users continues changing values on keys "restricted" (step 3)
>>
>>How can I restrict completely permissions (security) to do changes on
>>register windows keys?
>>
>>We're using WXP SP2 and W2K Server Standard SP4
>>
>>THANKS
>>
> Do your users have ADMIN privileges ?
>
> Dave
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,microsoft.public.windowsxp.security_admin (More info?)

On Thu, 3 Mar 2005 13:51:59 -0600, "Solomon" <inteca@NOracsa.co.cr>
wrote:

>Of course not.
>All are domain users (not local: Administrators & Power Users by example)
>and they are member of Domain Users plus other groups (with scope Global and
>type security) dependent of theirs departments (not Administrators, Domain
>Admins, ... Admins)
>
>THKS!
You are trying to restrict users access to the registry, but some how
they are accessing it? Have you a theory as to how they are
accomplshing it?

Are they logging on as local administrators is SAFEMODE
for example?
DAve
 

Solomon

Distinguished
May 9, 2004
15
0
18,510
Archived from groups: microsoft.public.windowsxp.general,microsoft.public.windowsxp.security_admin (More info?)

I think they are accessing registry through DOS mode or remotely.
We don't use local users, just domain users. All default local users are
disabled.

---
"da_test" <davexnet02NO@SPAMyahoo.com> wrote in message
news:7pcf21dho1qgf8q70r5g7nio5btosbn8v3@4ax.com...
> You are trying to restrict users access to the registry, but some how
> they are accessing it? Have you a theory as to how they are
> accomplshing it?
>
> Are they logging on as local administrators is SAFEMODE
> for example?
> DAve
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,microsoft.public.windowsxp.security_admin (More info?)

>"da_test" <davexnet02NO@SPAMyahoo.com> wrote in message
>news:7pcf21dho1qgf8q70r5g7nio5btosbn8v3@4ax.com...
>> You are trying to restrict users access to the registry, but some how
>> they are accessing it? Have you a theory as to how they are
>> accomplshing it?
>>
>> Are they logging on as local administrators is SAFEMODE
>> for example?
>> DAve
>
>On Fri, 4 Mar 2005 11:27:23 -0600, "Solomon" <inteca@NOracsa.co.cr> wrote:

>I think they are accessing registry through DOS mode or remotely.
>We don't use local users, just domain users. All default local users are
>disabled.
>
What about the administrator account in safemode?
That's impossible to disable isn't it?

Dave